On Wed, Feb 27, 2013 at 9:05 PM, Matthias Vallentin <[email protected]> wrote: >> Before I sit down and pound out a bunch of code, I was wondering if >> anyone has already written something that does this (ideally for Bro, >> but we could talk about other IDSes as well). > > Since recently the master branch of Bro contains a script "notary.bro" > [1] that does exactly what you are looking for: it SHA-hashes X.509 > certificates flying by and asks the ICSI notary via DNS whether (i) > the notary deems a certificate valid, (ii) when it has been seen the > first time, (iii) the last time, (iv) and how many days in between. > This extra information then goes into the ssl.log file that you may > already know. This relatively new script has only gone through basic > unit testing, so any feedback would be highly appreciated.
Thanks for the pointer; I had checked out the master branch but somehow failed to notice that script. It looks like it will do what I want at least on paper; I will experiment and let you know how it goes. > In the context of real-time monitoring of a large number of > certificates, we needed to resort to a decentralized and scalable > protocol, for which DNS fits perfectly well. We did not want to > reinvent a custom distribution layer because DNS with its caching > abilities provides all we need. ... The big problem I have with the DNS-based protocol is that if you get a negative response for a certificate fingerprint, there's no way to ask the notary what it thinks the certificate _should have been_ for that host+port. This is important for e.g. recognizing when a change is due to normal replacement of an expired certificate. Now, the flip side of that is that a query "what certificate for this host+port?" is more privacy-sensitive than a query "what do you think of the certificate with this fingerprint?" But I suspect that an eavesdropper on the client will be able to figure out everything anyway. zw
